add fwhost1

2022-01-12 04:11:18 +01:00 · 2022-01-12 04:11:18 +01:00 · bd591726ac
commit bd591726ac
parent 489cad342e
10 changed files with 232 additions and 50 deletions
--- a/nix/os/devices/fwhost1/boot.nix
+++ b/nix/os/devices/fwhost1/boot.nix
@ -0,0 +1,8 @@
+{ lib
+, ...
+}:
+
+{
+  boot.loader.grub.efiInstallAsRemovable = lib.mkForce true;
+  boot.loader.efi.canTouchEfiVariables = lib.mkForce false; 
+}
--- a/nix/os/devices/fwhost1/configuration.nix
+++ b/nix/os/devices/fwhost1/configuration.nix
@ -0,0 +1,13 @@
+{ ... }:
+
+{
+  imports = [
+    ../../profiles/common/configuration.nix
+    ../../modules/opinionatedDisk.nix
+
+    ./system.nix
+    ./hw.nix
+    ./pkg.nix
+    ./user.nix
+  ];
+}
--- a/nix/os/devices/fwhost1/hw.nix
+++ b/nix/os/devices/fwhost1/hw.nix
@ -0,0 +1,17 @@
+{ ... }:
+
+let
+
+in
+{
+  # TASK: new device
+  hardware.opinionatedDisk = {
+    enable = true;
+    encrypted = false;
+    diskId = "ata-INTEL_SSDSC2BW240A4_PHDA435602332403GN";
+  };
+
+  hardware.enableRedistributableFirmware = true;
+  boot.extraModprobeConfig = ''
+  '';
+}
--- a/nix/os/devices/fwhost1/pkg.nix
+++ b/nix/os/devices/fwhost1/pkg.nix
@ -0,0 +1,18 @@
+{ pkgs
+, ...
+}:
+
+{
+  nixpkgs.config.packageOverrides = pkgs: with pkgs; {
+    nixPath = (import ../../../default.nix { versionsPath = ./versions.nix; }).nixPath;
+  };
+  home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { inherit pkgs; };
+
+
+  environment.systemPackages = with pkgs; [
+    iw
+    wirelesstools
+  ];
+
+  system.stateVersion = "21.11";
+}
--- a/nix/os/devices/fwhost1/system.nix
+++ b/nix/os/devices/fwhost1/system.nix
@ -0,0 +1,76 @@
+{ pkgs
+, lib
+, config
+, ... }:
+
+let
+  keys = import ../../../variables/keys.nix;
+  passwords = import ../../../variables/passwords.crypt.nix;
+in {
+
+  # TASK: new device
+  networking.hostName = "fwhost1"; # Define your hostname.
+
+  networking.useDHCP = false;
+
+  networking.firewall.enable = lib.mkForce false;
+  networking.firewall.allowedTCPPorts = [
+    # iperf3
+    5201
+  ];
+
+  networking.firewall.logRefusedConnections = false;
+  networking.usePredictableInterfaceNames = false;
+
+  networking.bridges.breth.interfaces = [ "eth0" "eth1" ];
+
+  networking.defaultGateway.address = "172.172.171.10";
+  networking.nameservers = [ "172.172.171.10" ];
+
+  # WAN interfaces, currently unused because the OPNsense guest acts as a router.
+  networking.vlans.wan1.id = 3;
+  networking.vlans.wan1.interface = "breth";
+  networking.interfaces.wan1.ipv4.addresses = [{ address = "192.168.0.15"; prefixLength = 24; } ];
+
+  networking.vlans.wan2.id = 4;
+  networking.vlans.wan2.interface = "breth";
+  networking.interfaces.wan2.ipv4.addresses = [{ address = "172.16.0.15"; prefixLength = 12; } ];
+
+  # Local interfaces, all accessed via VLAN tags on the main bridge
+  networking.vlans.lan.id = 1;
+  networking.vlans.lan.interface = "breth";
+  networking.interfaces.lan.ipv4.addresses = [{ address = "172.172.171.15"; prefixLength = 24; } ];
+
+  networking.vlans.dmz.id = 5;
+  networking.vlans.dmz.interface = "breth";
+  networking.interfaces.dmz.ipv4.addresses = [{ address = "172.172.175.15"; prefixLength = 24; } ];
+
+  networking.vlans.family.id = 6;
+  networking.vlans.family.interface = "breth";
+  networking.interfaces.family.ipv4.addresses = [{ address = "172.172.176.15"; prefixLength = 24; } ];
+
+  networking.vlans.guests.id = 7;
+  networking.vlans.guests.interface = "breth";
+  networking.interfaces.guests.ipv4.addresses = [{ address = "172.172.177.15"; prefixLength = 24; } ];
+
+  services.hostapd = {
+    enable = false;
+    hwMode = "g";
+    interface = "wlan0";
+    ssid = "noowhere-lan";
+    wpaPassphrase = passwords.wifi.noowhere-lan;
+    extraConfig = ''
+      bridge=breth
+    '';
+  };
+
+  virtualisation = {
+    libvirtd = {
+      onShutdown = "shutdown";
+      enable = true;
+    };
+  };
+
+  boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
+}
+
--- a/nix/os/devices/fwhost1/user.nix
+++ b/nix/os/devices/fwhost1/user.nix
@ -0,0 +1,15 @@
+{ config
+, pkgs
+, ... }:
+
+let
+  passwords = import ../../../variables/passwords.crypt.nix;
+  keys = import ../../../variables/keys.nix;
+  inherit (import ../../lib/default.nix { }) mkUser;
+
+in {
+  # users.extraUsers.steveej2 = mkUser {
+  #   uid = 1001;
+  #   openssh.authorizedKeys.keys = keys.users.steveej.openssh;
+  # };
+}
--- a/nix/os/devices/fwhost1/versions.nix
+++ b/nix/os/devices/fwhost1/versions.nix
@ -0,0 +1,31 @@
+let
+  nixpkgs = {
+    url = "https://github.com/NixOS/nixpkgs/";
+    ref = "nixos-21.11";
+    rev = "00acdb2aa817048fbe1f91ece18fe7de09762531";
+  };
+in
+
+{
+  inherit nixpkgs;
+  nixos = nixpkgs // {
+    suffix = "/nixos";
+  };
+  "channels-nixos-stable" = nixpkgs;
+
+  "channels-nixos-unstable" = {
+    url = "https://github.com/NixOS/nixpkgs/";
+    ref = "nixos-unstable";
+    rev = "ff377a78794d412a35245e05428c8f95fef3951f";
+  };
+  "nixpkgs-master" = {
+    url = "https://github.com/NixOS/nixpkgs/";
+    ref = "master";
+    rev = "2ac65dd85b7fbe81b88e3c2a80d351aba4c4a9d8";
+  };
+  "home-manager-module" = {
+    url = "https://github.com/nix-community/home-manager";
+    ref = "release-21.11";
+    rev = "697cc8c68ed6a606296efbbe9614c32537078756";
+  };
+}
--- a/nix/os/devices/fwhost1/versions.tmpl.nix
+++ b/nix/os/devices/fwhost1/versions.tmpl.nix
@ -0,0 +1,31 @@
+let
+  nixpkgs = {
+    url = "https://github.com/NixOS/nixpkgs/";
+    ref = "nixos-21.11";
+    rev = "<% git ls-remote https://github.com/nixos/nixpkgs nixos-21.11 | awk '{ print $1 }' | tr -d '\n' -%>";
+  };
+in
+
+{
+  inherit nixpkgs;
+  nixos = nixpkgs // {
+    suffix = "/nixos";
+  };
+  "channels-nixos-stable" = nixpkgs;
+
+  "channels-nixos-unstable" = {
+    url = "https://github.com/NixOS/nixpkgs/";
+    ref = "nixos-unstable";
+    rev = "<% git ls-remote https://github.com/nixos/nixpkgs nixos-unstable | awk '{ print $1 }' | tr -d '\n' -%>";
+  };
+  "nixpkgs-master" = {
+    url = "https://github.com/NixOS/nixpkgs/";
+    ref = "master";
+    rev = "<% git ls-remote https://github.com/NixOS/nixpkgs.git master | head -n1 | awk '{ print $1 }' | tr -d '\n' -%>";
+  };
+  "home-manager-module" = {
+    url = "https://github.com/nix-community/home-manager";
+    ref = "release-21.11";
+    rev = "<% git ls-remote https://github.com/nix-community/home-manager.git release-21.11 | awk '{ print $1 }' | tr -d '\n' -%>";
+  };
+}
--- a/nix/os/devices/fwhost2/system.nix
+++ b/nix/os/devices/fwhost2/system.nix
@ -1,10 +1,12 @@
 { pkgs
 , lib
 , config
+, utils
 , ... }:

 let
  keys = import ../../../variables/keys.nix;
+  passwords = import ../../../variables/passwords.crypt.nix;
 in {

  # TASK: new device
@ -21,71 +23,46 @@ in {
  networking.firewall.logRefusedConnections = false;
  networking.usePredictableInterfaceNames = false;

-  networking.bridges = {
-    breth.interfaces = [ "eth0" "eth1" ];
-    brlan.interfaces = [
-      "lan"
-      # "wllan"
-    ];
-    brdmz.interfaces = [ 
-      "dmz"
-      # "wldmz"
-    ];
-    brfamily.interfaces = [
-      "family"
-      # "wlfamily"
-    ];
-    brguests.interfaces = [
-      "guests"
-      "wlguests"
-    ];
-  };
+  networking.bridges.breth.interfaces = [ "eth0" "eth1" ];

  networking.defaultGateway.address = "172.172.171.10";
-  networking.nameservers = [
-    "172.172.171.10"
-  ];
+  networking.nameservers = [ "172.172.171.10" ];

  # WAN interfaces, currently unused because the OPNsense guest acts as a router.
  networking.vlans.wan1.id = 3;
-  networking.vlans.wan1.interface= "breth";
+  networking.vlans.wan1.interface = "breth";
  networking.interfaces.wan1.ipv4.addresses = [{ address = "192.168.0.16"; prefixLength = 24; } ];

  networking.vlans.wan2.id = 4;
-  networking.vlans.wan2.interface= "breth";
+  networking.vlans.wan2.interface = "breth";
  networking.interfaces.wan2.ipv4.addresses = [{ address = "172.16.0.16"; prefixLength = 12; } ];

-
-  # Local interfaces
+  # Local interfaces, all accessed via VLAN tags on the main bridge
  networking.vlans.lan.id = 1;
-  networking.vlans.lan.interface= "breth";
-  networking.interfaces.brlan.ipv4.addresses = [{ address = "172.172.171.16"; prefixLength = 24; } ];
+  networking.vlans.lan.interface = "breth";
+  networking.interfaces.lan.ipv4.addresses = [{ address = "172.172.171.16"; prefixLength = 24; } ];

  networking.vlans.dmz.id = 5;
-  networking.vlans.dmz.interface= "breth";
-  networking.interfaces.brdmz.ipv4.addresses = [{ address = "172.172.175.16"; prefixLength = 24; } ];
+  networking.vlans.dmz.interface = "breth";
+  networking.interfaces.dmz.ipv4.addresses = [{ address = "172.172.175.16"; prefixLength = 24; } ];

  networking.vlans.family.id = 6;
-  networking.vlans.family.interface= "breth";
-  networking.interfaces.brfamily.ipv4.addresses = [{ address = "172.172.176.16"; prefixLength = 24; } ];
+  networking.vlans.family.interface = "breth";
+  networking.interfaces.family.ipv4.addresses = [{ address = "172.172.176.16"; prefixLength = 24; } ];

  networking.vlans.guests.id = 7;
-  networking.vlans.guests.interface= "breth";
-  networking.interfaces.brguests.ipv4.addresses = [{ address = "172.172.177.16"; prefixLength = 24; } ];
-
-  networking.wlanInterfaces = {
-    wllan.device = "wlan0";
-    wldmz.device = "wlan0";
-    wlfamily.device = "wlan0";
-    wlguests.device = "wlan0";
-  };
+  networking.vlans.guests.interface = "breth";
+  networking.interfaces.guests.ipv4.addresses = [{ address = "172.172.177.16"; prefixLength = 24; } ];

  services.hostapd = {
-    enable = true;
+    enable = false;
    hwMode = "g";
-    interface = "wlguests";
-    ssid = "noowhere-guests";
-    wpaPassphrase = "the_sekrettt";
+    interface = "wlan0";
+    ssid = "noowhere-lan";
+    wpaPassphrase = passwords.wifi.noowhere-lan;
+    extraConfig = ''
+      bridge=breth
+    '';
  };

  virtualisation = {
@ -93,12 +70,8 @@ in {
      onShutdown = "shutdown";
      enable = true;
    };
-
-    docker = {
-      enable = true;
-      extraOptions = "--experimental";
-    };
  };

  boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
 }
+
--- a/nix/variables/passwords.crypt.nix
+++ b/nix/variables/passwords.crypt.nix